By Sharon Gaudin
June 19, 2006
A defense lawyer in an ongoing federal computer sabotage trial is
pushing the idea that four years ago, a hacker masqueraded as his
client to surreptitiously plant the logic bomb that took down
thousands of servers at UBS PaineWebber, thus framing an innocent man.
Roger Duronio, a former systems administrator at UBS, is currently on
trial in a District Court in Newark, N.J., for allegedly building and
distributing the logic bomb that crippled the company's ability to do
business for a day in some locations, and for as long as two to three
weeks in others, costing UBS a reported $3.1 million in cleanup costs
alone. If convicted, Duronio faces a maximum sentence of 30 years,
fines of up to $1 million and restitution for the money UBS spent on
Chris Adams, Duronio's attorney and a partner at Walder Hayden &
Brogan in Roseland, N.J., has been throwing a slew of who-done-it
theories at the jury, including an outside hacker, another systems
administrator or even a slip-up by Cisco Systems, Inc., which was
doing a penetration test of the UBS network during the March 4, 2002
But one major theme that Adams keeps returning to is the idea of
someone " whether inside UBS or outside " using IP spoofing to pretend
to log into the company's Unix-based network from Duronio's home,
using the defendant's own corporate VPN connection. That's Adam's
explanation for why forensics examiners and federal investigators
traced remote connections to the network directly back to Duronio's
own IP address, during the times when pieces of the malicious code
were being planted on the system. The problem with this theory,
according to several security professionals and even one long-time
hacker, is that, technically, it simply can't be done.
''Spoofing the IP address is not difficult,'' says Johannes Ullrich,
chief research officer at the SANS Institute, a Bethesda, Md.-based
cyber security training and certification organization. ''The problem
is transferring data with a spoofed IP addressIt's close to impossible
to do.'' Ullrich also is the chief technology officer for the Internet
Storm Center, a cooperative cyber threat monitoring and alert system.
IP spoofing (short for Internet Protocol address spoofing) is a way to
fool a computer into thinking that a packet is coming from machine A
when it is really coming from machine B. The header of every IP packet
contains its source address " normally the address that the packet was
sent from. By putting a different address into the header, a hacker
can give the appearance that the packet was sent from a different
IP spoofing often is used for denial-of-service attacks because the
attacker simply has to overwhelm a network with a flood of pings or
useless traffic. explains Ken van Wyk, a 20-year IT security veteran
and principal consultant with KRvW Associates, LLC of Alexandria, Va.
A session doesn't have to be established. The attacker, simply put,
has to pound on the door " he doesn't actually need to be let inside.
But Duronio's defense attorney has been asking various UBS witnesses
who have taken the stand so far to talk about IP spoofing and
sniffing, which is the act of capturing information " generally
packets " as they go over the network. ''You can read the packets and
use them to pretend you're coming from another IP address, can't
you?'' Adams last week asked Rafael Mendez, who was UBS' division vice
president for network services at the time of the attack. Mendez
responded that spoofing becomes much more difficult to do if the
packets are encrypted. He also said most ISPs set up sniffing
roadblocks, blocking that kind of security problem. The idea of
hackers using IP spoofing is generally traced back to Kevin Mitnick,
one of the world's most famous hackers and a cause celebre at one time
in the hacker community. Mitnick was arrested in 1995 and was
convicted of wire fraud and breaking into computer systems at major
companies like Sun Microsystems, Inc. and Motorola. He used IP
spoofing to try to hide his identity during at least one attack.
The difference between what Mitnick did, and what the defense in the
Duronio trial is suggesting happened in this case, is that in this
latest scenario, IP spoofing would have had to have been used to load
actual lines of code onto the UBS servers. Mitnick just needed to get
a few packets through to the receiving server " a real session
wouldn't have had to have been established. That's a whole different
story from starting and maintain a session long enough to load on, or
modify code, says George Bakos, a self-proclaimed hacker with 20 years
of experience, and a senior security expert with the Institute for
Security Technology Studies at Dartmouth College in Hanover, N.H.
''When you connect to a machine, there are dozens of packets that are
exchanged just to authenticate and get ready to do things,'' says
Bakos, who said he broke into his first mainframe back in 1979. ''If
you're modifying code, or changing 70 lines of code, it would like
taking hundreds, if not thousands, of TCP segments.''
Bakos explained that when using TCP (Transmission Control Protocol),
every data segment that's sent must be acknowledged by the recipient.
That acknowledgement contains a number that must be used when the
sending computer ships more data to the server. They are called TCP
sequence numbers, and the exchange of these numbers must remain
The problem, according to both Bakos and Ullrich, is that with IP
spoofing, the acknowledgement goes back to the true owner of the IP
address " not to the machine that is pretending to be at that address.
Since the server would not get a response from the spoofed address,
the connection would be broken.
Van Wyk said it would be like sending a postcard with someone else's
address on it. If the person who receives the card, responds, she'll
reply to the address written on the card and it will never get to the
''You can do it for a few packets, but the synchronization challenge
is very, very difficult,'' says Bakos. ''Once you lose
synchronization, then everything else you've done is thrown away.
Unfortunately, when doing TCP spoofing, you're flying blind. You never
see the responses come back to you. And what you're doing is out of
synch with what the server is doing Then everything that you got into
the server will be tossed out if you don't maintain that
Ullrich says the TCP sequence numbers are chosen randomly out of 4
billion options. He says guessing it would be ''close to impossible''
or at least a one-in-4-billion chance. Back in the mid-1990s, these
numbers were not picked randomly, so Mitnick had a much easier job
figuring out which ones to use.
And Ullrich also notes that an IP spoofing attack would be fairly easy
to spot on an enterprise system. ''If something is trying to do that
on your network, it's pretty obvious. It generates a lot of traffic
because these hosts are sending acknowledgements that they don't
understand.'' He also said there would be a record of the attempts.
As for a hacker using a sniffing technique to get the IP address while
it's in transmission, Ullrich explained that a VPN has its own
encryption, along with ways to validate the IP address and the user.
''That's what you have a VPN for,'' he said. ''All the traffic is
encrypted and authenticated. Unless you're NSA or somebody like that,
you're not going to break that encryption.''
Copyright =A9 2005 CMP Media LLC
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.